SYM_PY_0096 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Python's shelve module is risky because it relies on pickle for serialization, which can execute arbitrary code if given malicious input. If your application loads data from untrusted sources using shelve, attackers could exploit this to run harmful code.
Impact
If exploited, an attacker could gain control over the server or access sensitive data by executing arbitrary code during deserialization. This could lead to data breaches, system compromise, or further attacks within your environment.